Cisco has fixed three bugs in its Cisco Webex video conferencing offering that may allow attackers to:
- Join Webex meetings without appearing in the participant list (CVE-2020-3419)
- Covertly maintain an audio connection to a Webex meeting after being expelled from it (CVE-2020-3471)
- Gain access to information (name, email, IP address, device info) on meeting attendees without being admitted to the meeting (CVE-2020-3441)
About the Cisco Webex vulnerabilities
The three flaws were discovered by IBM researchers, after the company’s research department and the Office of the CISO decided to analyze their primary tool for remote meetings (i.e., Cisco Webex).
“These vulnerabilities work by exploiting the handshake process that Webex uses to establish a connection between meeting participants,” the researchers shared.
“These flaws affect both scheduled meetings with unique meeting URLs and Webex Personal Rooms. Personal rooms may be easier to exploit because they are often based on a predictable combination of the room owner’s name and organization name. These technical vulnerabilities could be further exploited with a combination of social engineering, open source intelligence (OSINT) and cognitive overloading techniques.”
The vulnerabilities can all be exploited by unauthenticated, remote attackers, either by sending crafted requests to a vulnerable Cisco Webex Meetings or Cisco Webex Meetings Server site or by browsing the Webex roster.
More details about the possible attacks are available in this blog post, though details about the flaws will be limited until more users are able to implement the provided updates/patches.
Patches and security updates
The bugs affect both Cisco Webex Meetings sites (cloud-based) and Cisco Webex Meetings Server (on-premises).
Cisco addressed them in Cisco Webex Meetings sites a few days ago and no user action is required.
Users of Cisco Webex Meetings Server are advised to upgrade to 3.0MR3 Security Patch 5 or 4.0MR3 Security Patch 4, which contain the needed fixes.
CVE-2020-3419 also affects all Cisco Webex Meetings apps releases 40.10.9 and earlier for iOS and Android, so users are urged to implement the provided updates.
Cisco has released security updates for Cisco Webex Meetings and Cisco Webex Meetings Server that fix several remotely exploitable vulnerabilities, as well as one less severe one that could allow hackers to gain access to a target’s Webex account.
The patched Cisco Webex vulnerabilities
CVE-2020-3361 affects Cisco Webex Meetings sites and Cisco Webex Meetings Server and could allow an unauthenticated, remote attacker to gain unauthorized access to a vulnerable Webex site.
Customers on Cisco-hosted Webex Meetings sites do not need to take any actions to receive this update, but those running Cisco Webex Meetings Server on-premises should apply the updated version.
CVE-2020-3263 is a improper input validation flaw that could allow an unauthenticated, remote attacker to execute programs on an affected end-user system after they’ve persuaded a user to follow a malicious URL.
It affects affects Cisco Webex Meetings Desktop App releases earlier than release 39.5.12.
CVE-2020-3342 is due to improper validation of cryptographic protections on files that are downloaded by the application as part of a software update.
“An attacker could exploit this vulnerability by persuading a user to go to a website that returns files to the client that are similar to files that are returned from a valid Webex website. The client may fail to properly validate the cryptographic protections of the provided files before executing them as part of an update. A successful exploit could allow the attacker to execute arbitrary code on the affected system with the privileges of the user,” Cisco explained.
The flaw affects lockdown versions of Cisco Webex Meetings Desktop App for Mac earlier than release 39.5.11.
Finally, CVE-2020-3347 affects only Cisco Webex Meetings Desktop App for Windows releases earlier than 40.6.0, but may be used by a local, authenticated attacker to retrieve sensitive information and authentication tokens that could help them acces the target’s Webex account.
“In an attack scenario any malicious local user or malicious process running on a computer where Webex Client for Windows is installed can monitor the memory mapped file for a login token. Once found the token, like any leaked credentials, can be transmitted somewhere so that it can be used to login to the Webex account in question, download Recordings, view/edit Meetings and so on,” says Trustwave researcher Martin Rakhmanov, who discovered the flaw.
Phishing emails impersonating Zoom and WebEx
“Video conferencing has become very popular very quickly. Attackers have noticed and moved to capitalize on that popularity and brand strength,” noted Sherrod DeGrippo, Proofpoint’s Senior Director of Threat Research at Proofpoint.
“Not only are attackers using video conferencing brands as a lure for malware, but they’re using it for credential phishing, in particular to steal Zoom and WebEx credentials.”
Some of the lures are not particularly original, but will surely fool some of the targets. For example, an email that welcomes users to their new Zoom account and requests them to activate their account, or an email that claims that the user has missed a scheduled Zoom conference meeting (see above).
In both cases, the attackers are after account credentials, either for Zoom or for the target’s email account.
The fake emails purportedly coming from Cisco are a mishmash of unconnected visual elements and subject lines that command attention (e.g., “Critical Update!” or “Alert!”):
Many targets will spot the malicious nature of the email almost immediately, as it warns about an old vulnerability in a software that has nothing to do with Cisco WebEx (apart from the fact that both are developed by Cisco.) But there’s always some recipients who panic or are inattentive enough at the moment of perusal and will end up entering their login credentials.
The value of compromised video conferencing accounts is obvious. “Stolen account credentials could be used to login to corporate video conferencing accounts and violate confidentiality. They also could likely be sold on the black market or used to gain further information about potential targets for launching additional attacks,” DeGrippo noted.
Malware delivery campaign
The researchers have also spotted a email malware delivery campaign that does not impersonate the aforementioned developers of video conferencing solutions, but does exploit their widespread use.
The emails are made to look like they are coming from a potential client who asked for a quote, says they are available for a call via Zoom, and contain a booby-trapped Excel file in the attachment, supposedly containing the sender’s schedule.
To view the contents, the recipient is asked to enable macros. If they do, the macros execute a script that, unbeknownst to the victim, installs a legitimate remote control application, which the attackers then use to access files and information on the compromised system.
Users are warned to be on the lookout for these and similar lures, and to keep in mind that phishers love nothing more than (ab)using popular brands as social engineering lures. These specific campaigns were directed at employees in US companies in the technology, accounting, aerospace, energy, healthcare, telecommunications, transportation, government, and manufacturing sectors.
Cisco has released another batch of fixes for a number of its products. Among the vulnerabilities fixed are critical flaws affecting a variety of Cisco IP phones and Cisco UCS Director and Cisco UCS Director Express for Big Data, its unified infrastructure management solutions for data center operations.
The critical vulnerabilities
Jacob Baines, a research engineer with Tenable, unearthed two critical flaws affecting the Cisco Wireless IP Phone 8821. Cisco then tested other IP phones and found several series that were affected, as well.
CVE-2020-3161 affects the web server and CVE-2016-1421 the web application for Cisco IP Phones. Both may allow an unauthenticated remote attacker to trigger a stack-based buffer overflow by sending a crafted HTTP request, which could ultimately lead to a DoS condition or may allow the attacker to execute code with root privileges.
If you’re wondering why the CVE of the latter vulnerability indicates that it was reported in 2016, it’s because it (partly) was.
“During Tenable’s original analysis, they noted the similarity of this vulnerability to [a previously discovered bug]. However, Cisco’s advisory described the vulnerability as requiring authentication, DoS only, and the Wireless IP Phone 8821 wasn’t listed on the affected list. After disclosing to Cisco, they informed Tenable that the described bug was CVE-2016-1421 and subsequently updated their disclosure,” Tenable explained.
Admins are advised to check whether the IP phones in use in their enterprise and upgrade the firmware if they are. There are no workarounds for the flaws, but exploitation risk can be mitigated by disabling web access. Web access is disabled by default on Cisco IP phones, but some enterprises might have enabled it.
Baines has published Denial of Service PoCs for both flaws on Tenable’s GitHub repository.
Cisco has also provided fixes for nine authentication bypass vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data.
Only one of these is deemed to be critical. Exploiting one or several of these can allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device.
Admins are advised to upgrade to UCS Director Release 22.214.171.124 and UCS Director Express for Big Data Release 126.96.36.199 to plug the security holes.
The flaws were discovered by infosec specialist Steven Seeley of Source Incite, who promised to provide more details about the vulnerabilities soon.
The high-risk vulnerabilities
Finally, a path traversal vulnerability in Cisco Unified Communications Manager (UCM) and Cisco Unified Communications Manager Session Management Edition (SME) could allow an unauthenticated, remote attacker to read arbitrary files in the system.